Istio (1.6.2) : RBAC Access Denied for Valid JWT Token

I’m new to Istio. I’m implementing Authorization with JWT. I get RBAC access denied error for a valid JWT token. I’ve added the JWT Payload and Authorization Policy for reference.
I’m using kubernetes version v1.18.3 and Istio 1.6.2. I’m running cluster on minikube.

@YangminZhu ^^ can you take a look?

Can you add your request authentication yaml?

apiVersion: “security.istio.io/v1beta1
kind: “RequestAuthentication”
metadata:
name: dex-ms-contact-jwt
namespace: default
spec:
selector:
matchLabels:
app: dex-ms-contact
jwtRules:

Hi @sweta581990

You have to apply the RequestAuthentication & Authorizationpolicy on the Istio-ingressgateway pod in the istio-system in case if you are accessing from the outside the cluster. and generate the token use it when accessing the application Authorization: Bearer $TOKEN

may be this will help you.

try this:

RequestAuthentication

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "dex-ms-contact-jwt"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer:  “https://dev-n63ipah2.us.auth0.com/”
    jwksUri: “https://dev-n63ipah2.us.auth0.com/.well-known/jwks.json”
    audience:
     - “http://10.97.72.213/”

Authorizationpolicy

    apiVersion: "security.istio.io/v1beta1"
    kind: "AuthorizationPolicy"
    metadata:
      name: "dex-ms-contact-require-jwt"
      namespace: istio-system
    spec:
      selector:
        matchLabels:
          istio: ingressgateway
      action: ALLOW
      rules:
      - from:
        - source:
           requestPrincipals: ["https://dev-n63ipah2.us.auth0.com/sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients"]
        to:
        - operation:
           methods: ["*"]
           paths: ["*"]
        when:
        - key: request.auth.claims[iss]
          values: ["https://dev-n63ipah2.us.auth0.com/"]

look this:

1 Like

@Shubham, @mandarjog

Hi, I have few queries:

Let’s say I applied authentication and authorization policy at ingressgateway.
Now I again apply authentication and authorization policy at namespace level.(Note: I have not deleted the ingressgateway authentication and authorization policy yet.)

Istio will consider which policy(ingressgateway or namespace level)?
Can I apply both the ingressgateway and namespace level at same time? If yes, which one take precedence or both will work at same time? If no, what should be the ideal way to apply policy at all the levels and expected behavior? Could you please explain me with some example Lets say we have ingressgateway (I) , Service A and Service B(in same namespace)

Also, How virtual service and authentication and authorization policy are connected?

@Shubham, @mandarjog Could you please reply. Thanks!

Istio will consider which policy(ingressgateway or namespace level)?
Can I apply both the ingressgateway and namespace level at same time?

The basic model is that request authentication and authorization policy are additive, which means multiple policies applied to the same workload will have effect at the same time. In your example, if you apply the policy on ingressgateway which is usually in the namespace istio-system, and apply some other policies in another namespace (e.g. foo), those policies will not take effect at the same time because they are not applied to the same workload. See https://istio.io/latest/docs/concepts/security/#policy-target for more details.

Also, How virtual service and authentication and authorization policy are connected?

The VirtualService applies to Envoy in the client side, it has nothing to do with the auth policy which take place in the server side Envoy.

For your original question, I noticed that there is an extra / in your JWT token issuer, which means the requestPrincipal should be https://dev-n63ipah2.us.auth0.com//sEbjHGBcZ16D0jk8wohIp7vPoT0MWTO0@clients. There is also another reply in your original post for this, please give this a try and let me know if it fixes the issue. Thanks.

2 Likes

Sorry for late response @sweta581990

But what @YangminZhu Said is right. Thanks @YangminZhu
i didn’t notice that “/”.
taking your case(policies you apply on workload) – May be you should access the app application with header Authorization: Bearer $TOKEN
try it when you curl.

@YangminZhu, @Shubham Let’s say I have 3 namespace:

  1. istio-system
  2. foo (2 services are running service A and service B)
  3. bar (3 services are running service C, service D and service E)

I applied policies at ingressgateway, I will be able to access service A and service B(in foo namespace) only through bearer token right?
Also service C, service D and service E which are in namespace bar only through bearer token right?

Can I apply different policy for namespace foo and namespace bar at the same time?
if yes, will both the policies work at same time (considering I have not applied policy at ingressgateway)

Also, Let’s say I have 2 applications running. one is web application (Service A) and other expose just a simple rest api (Service B) in same namespace. In Auth0 there are 2 application clients registered for each application to generate token. Can i use different policies for each application in same namespace?

@YangminZhu @Shubham Could you please reply. thanks!

Hi @sweta581990

  • you can access the service from outside the cluster through bearer token if you apply
    the policy to the ingressgateway with proper gateway rule & VirtualService.
  • From my understanding u can apply the diif policy to foo and bar ns at same time. its
    work. i try it by applying Requestauthenticationpolicy & Authorizationpolicy in foo & bar
    ns. have same applications. (i.e. httpbin & sleep) i used same token for them. when
    i accessed from sleep.foo to httpbin.bar with bearer token then it gave me
    200(succesful accessed) without token i can’t accessed it and vice versa also.
  • diffpolicies for diff applications in same namesace… not sure but may be yes. you can
    apply it workload specific policy.

It is on my understanding & i am still learning the things so may be i am wrong. so if you find anything wrong so pls tell me also its good for me. @YangminZhu will tell more accurate about it…

@YangminZhu Could you please help. Thanks!

@mandarjog Could you please help thanks!

Yes.

and yes. (Note you need to make sure your traffic is going through the ingress gateway in the first place if you plan to apply the policy on ingress gateway)

Yes, you can do this and they will take effect at the same time. Say you have policy x on ingress gateway, policy y on namespace foo and policy z on namespace bar.

policy x and y will take effect for requests to namespace foo assuming it’s going through ingress gateway.

policy x and z will take effect for requests to namespace bar assuming it’s going through ingress gateway.

yes, this is the workload-level policy, say you have policy m on service A in namespace foo, and policy n on server B in the same namespace, with the policy x on ingress gateway and policy y on namespace foo:

policy x, y and m will take effect for requests to service A in namespace foo assuming it’s going through ingress gateway.

policy x, y and n will take effect for requests to service B in namespace foo assuming it’s going through ingress gateway.

1 Like

Thanks @YangminZhu for the explantion. so what i have said above is right.!